<!DOCTYPE html>
<html>

<head>
  <title>Quarkus - Using HashiCorp Vault</title>
  <script id="adobe_dtm" src="https://www.redhat.com/dtm.js" type="text/javascript"></script>
  <script src="/assets/javascript/highlight.pack.js" type="text/javascript"></script>
  <META HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'none'; script-src 'self' 'unsafe-eval' 'sha256-ANpuoVzuSex6VhqpYgsG25OHWVA1I+F6aGU04LoI+5s=' 'sha256-ipy9P/3rZZW06mTLAR0EnXvxSNcnfSDPLDuh3kzbB1w=' js.bizographics.com https://www.redhat.com assets.adobedtm.com jsonip.com https://ajax.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://use.fontawesome.com; style-src 'self' https://fonts.googleapis.com https://use.fontawesome.com; img-src 'self' *; media-src 'self' ; frame-src https://www.googletagmanager.com https://www.youtube.com; frame-ancestors 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;">
  <META HTTP-EQUIV='X-Frame-Options' CONTENT="DENY">
  <META HTTP-EQUIV='X-XSS-Protection' CONTENT="1; mode=block">
  <META HTTP-EQUIV='X-Content-Type-Options' CONTENT="nosniff">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="description" content="Quarkus: Supersonic Subatomic Java">
  <meta name="twitter:card" content="summary_large_image">
  <meta name="twitter:site" content="@QuarkusIO"> 
  <meta name="twitter:creator" content="@QuarkusIO">
  <meta property="og:url" content="https://quarkus.io/guides/vault" />
  <meta property="og:title" content="Quarkus - Using HashiCorp Vault" />
  <meta property="og:description" content="Quarkus: Supersonic Subatomic Java" />
  <meta property="og:image" content="/assets/images/quarkus_card.png" />
  <link rel="canonical" href="https://quarkus.io/guides/vault">
  <link rel="shortcut icon" type="image/png" href="/favicon.ico" >
  <link rel="stylesheet" href="https://quarkus.io/guides/stylesheet/config.css" />
  <link rel="stylesheet" href="/assets/css/main.css" />
  <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.1.0/css/all.css" integrity="sha384-lKuwvrZot6UHsBSfcMvOkWwlCMgc0TaWr+30HWe3a4ltaBwTZhyTEggF5tJv8tbt" crossorigin="anonymous">
  <link rel="alternate" type="application/rss+xml"  href="https://quarkus.io/feed.xml" title="Quarkus">
  <script src="https://quarkus.io/assets/javascript/goan.js" type="text/javascript"></script>
  <script src="https://quarkus.io/assets/javascript/hl.js" type="text/javascript"></script>
</head>

<body class="guides">
  <!-- Google Tag Manager (noscript) -->
  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NJWS5L"
  height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
  <!-- End Google Tag Manager (noscript) -->

  <div class="nav-wrapper">
  <div class="grid-wrapper">
    <div class="width-12-12">
      <input type="checkbox" id="checkbox" />
      <nav id="main-nav" class="main-nav">
  <div class="container">
    <div class="logo-wrapper">
      
        <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_600px_reverse.png" class="project-logo" title="Quarkus"></a>
      
    </div>
    <label class="nav-toggle" for="checkbox">
      <i class="fa fa-bars"></i>
    </label>
    <div id="menu" class="menu">
      <span>
        <a href="/get-started/" class="">Get Started</a>
      </span>
      <span>
        <a href="/guides/" class="active">Guides</a>
      </span>
      <span>
        <a href="/community/" class="">Community</a>
      </span>
      <span>
        <a href="/support/" class="">Support</a>
      </span>
      <span>
        <a href="/blog/" class="">Blog</a>
      </span>
      <span>
        <a href="https://code.quarkus.io" class="button-cta secondary white">Start Coding</a>
      </span>
    </div>
  </div>
      </nav>
    </div>
  </div>
</div>

  <div class="content">
    <div class="guide">
  <div class="width-12-12">
    <h1 class="text-caps">Quarkus - Using HashiCorp Vault</h1>
    <div class="hide-mobile toc"><ul class="sectlevel1">
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#starting-vault">Starting Vault</a></li>
<li><a href="#create-a-quarkus-application-with-a-secret-configuration">Create a Quarkus application with a secret configuration</a></li>
<li><a href="#programmatic-access-to-the-kv-secret-engine">Programmatic access to the KV secret engine</a></li>
<li><a href="#totp">TOTP Secrets Engine</a></li>
<li><a href="#vault-health-check">Vault Health Check</a></li>
<li><a href="#tls">TLS</a></li>
<li><a href="#vault-provisioning">Vault Provisioning</a></li>
<li><a href="#conclusion">Conclusion</a></li>
<li><a href="#configuration-reference">Configuration Reference</a></li>
</ul></div>
    <div>
      <div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://www.vaultproject.io/">HashiCorp Vault</a> is a multi-purpose tool aiming at protecting sensitive data, such as
credentials, certificates, access tokens, encryption keys, &#8230;&#8203; In the context of Quarkus, several use cases
are supported:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>mounting a map of properties stored into the
<a href="https://www.vaultproject.io/docs/secrets/kv/index.html">Vault kv secret engine</a> as an Eclipse MicroProfile config source</p>
</li>
<li>
<p>fetching credentials from Vault when configuring an Agroal datasource, as documented in the <a href="vault-datasource">Vault Datasource Guide</a></p>
</li>
<li>
<p>accessing Vault <em>kv secret engine</em> programmatically</p>
</li>
<li>
<p>support for the <a href="https://www.vaultproject.io/docs/secrets/totp">TOTP Secret Engine</a></p>
</li>
<li>
<p>support for the <a href="https://www.vaultproject.io/docs/secrets/transit">Transit Secret Engine</a> as documented
in the <a href="vault-transit">Vault Transit Secret Engine Guide</a></p>
</li>
<li>
<p>support for several authentication methods as documented in the <a href="vault-auth">Vault Authentication guide</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Under the hood, the Quarkus Vault extension takes care of authentication when negotiating a client Vault token plus
any transparent token or lease renewals according to <em>ttl</em> and <em>max-ttl.</em></p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>This technology is considered preview.</p>
</div>
<div class="paragraph">
<p>In <em>preview</em>, backward compatibility and presence in the ecosystem is not guaranteed.
Specific improvements might require to change configuration or APIs and plans to become <em>stable</em> are under way.
Feedback is welcome on our <a href="https://groups.google.com/d/forum/quarkus-dev">mailing list</a> or as issues in our <a href="https://github.com/quarkusio/quarkus/issues">GitHub issue tracker</a>.</p>
</div>
<div class="paragraph">
<p>For a full list of possible extension statuses, check our <a href="https://quarkus.io/faq/#extension-status">FAQ entry</a>.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="prerequisites"><a class="anchor" href="#prerequisites"></a>Prerequisites</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To complete this guide, you need:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>roughly 20 minutes</p>
</li>
<li>
<p>an IDE</p>
</li>
<li>
<p>JDK 1.8+ installed with <code>JAVA_HOME</code> configured appropriately</p>
</li>
<li>
<p>Apache Maven 3.6.2+</p>
</li>
<li>
<p>Docker installed</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="starting-vault"><a class="anchor" href="#starting-vault"></a>Starting Vault</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Let&#8217;s start Vault in development mode:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">docker run --rm --cap-add=IPC_LOCK -e VAULT_ADDR=http://localhost:8200 -p 8200:8200 -d --name=dev-vault vault:1.2.2</code></pre>
</div>
</div>
<div class="paragraph">
<p>You can check that vault is running with:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">docker logs dev-vault</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should see:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">==&gt; Vault server configuration:

             Api Address: http://0.0.0.0:8200
                     Cgo: disabled
         Cluster Address: https://0.0.0.0:8201
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
                 Storage: inmem
                 Version: Vault v1.2.2

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://0.0.0.0:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: 0lZ2/vzpa92pH8gersSn2h9b5tmzd4m5sqIdMC/4PDs=
Root Token: s.5VUS8pte13RqekCB2fmMT3u2

Development mode should NOT be used in production installations!

==&gt; Vault server started! Log data will stream in below:</code></pre>
</div>
</div>
<div class="paragraph">
<p>In development mode, Vault gets configured with several options that makes it convenient:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Vault is already initialized with one key share (whereas in normal mode this has to be done explicitly and the
number of key shares is 5 by default)</p>
</li>
<li>
<p>the unseal key and the root token are displayed in the logs (please write down the root token, we will need it
in the following step)</p>
</li>
<li>
<p>Vault is unsealed</p>
</li>
<li>
<p>in-memory storage</p>
</li>
<li>
<p>TLS is disabled</p>
</li>
<li>
<p>a <em>kv secret engine v2</em> is mounted at <code>secret/</code></p>
</li>
</ul>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>By default Quarkus assumes that a <em>kv secret engine</em> in version <strong>2</strong> mounted at path <code>secret/</code> will be used.
If that is not the case, please use properties <code>quarkus.vault.kv-secret-engine-version</code>
and <code>quarkus.vault.kv-secret-engine-mount-path</code> accordingly.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>In the following step, we are going to add a <code>userpass</code> authentication that we will use from the Quarkus application,
to access a secret stored in the <em>kv secret engine</em>.</p>
</div>
<div class="paragraph">
<p>First open a shell inside the vault container:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">docker exec -it dev-vault sh</code></pre>
</div>
</div>
<div class="paragraph">
<p>Set the <code>VAULT_TOKEN</code> with the value that was printed in the logs:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">export VAULT_TOKEN=s.5VUS8pte13RqekCB2fmMT3u2</code></pre>
</div>
</div>
<div class="paragraph">
<p>You can check Vault&#8217;s status using the CLI command <code>vault status</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.2.2
Cluster Name    vault-cluster-b07e80d8
Cluster ID      55bd74b6-eaaf-3862-f7ce-3473ab86c57f
HA Enabled      false</code></pre>
</div>
</div>
<div class="paragraph">
<p>Now let&#8217;s add a secret configuration for our application:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">vault kv put secret/myapps/vault-quickstart/config a-private-key=123456</code></pre>
</div>
</div>
<div class="paragraph">
<p>We have defined a path <code>secret/myapps/vault-quickstart</code> in Vault that we need to give access to from the Quarkus application.</p>
</div>
<div class="paragraph">
<p>Create a policy that gives read access to <code>secret/myapps/vault-quickstart</code> and subpaths:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">cat &lt;&lt;EOF | vault policy write vault-quickstart-policy -
path "secret/data/myapps/vault-quickstart/*" {
  capabilities = ["read"]
}
EOF</code></pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>When using a <em>kv secret engine version 2</em>, secrets are written and fetched at path <code>&lt;mount&gt;/<strong>data</strong>/&lt;secret-path&gt;</code>
as opposed to <code>&lt;mount&gt;/&lt;secret-path&gt;</code> in a <em>kv secret engine version 1</em>.
It does not change any of the CLI commands (i.e. you do not specify <code>data</code> in your path).
However it does change the policies, since capabilities are applied to the real path. In the example above,
the path is <code>secret/<strong>data</strong>/myapps/vault-quickstart/*</code> since we are working with a <em>kv secret engine version 2</em>.
It would be <code>secret/myapps/vault-quickstart/*</code> with a <em>kv secret engine version 1</em>.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>And finally, let&#8217;s enable the <em>userpass auth secret engine</em>, and create user <code>bob</code> with access to the <code>vault-quickstart-policy</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">vault auth enable userpass
vault write auth/userpass/users/bob password=sinclair policies=vault-quickstart-policy</code></pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>Quarkus supports additional Vault Authentication methods. Check the <a href="vault-auth">Vault Authentication guide</a> for details.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>To check that the configuration is correct, try logging in:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">vault login -method=userpass username=bob password=sinclair</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should see:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.s93BVzJPzBiIGuYJHBTkG8Uw
token_accessor         OKNipTAgxWbxsrjixASNiwdY
token_duration         768h
token_renewable        true
token_policies         ["default" "vault-quickstart-policy"]
identity_policies      []
policies               ["default" "vault-quickstart-policy"]
token_meta_username    bob</code></pre>
</div>
</div>
<div class="paragraph">
<p>Now set <code>VAULT_TOKEN</code> to the <code>token</code> above (instead of the root token), and try reading the vault-quickstart secret config:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">export VAULT_TOKEN=s.s93BVzJPzBiIGuYJHBTkG8Uw
vault kv get secret/myapps/vault-quickstart/config</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should see:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">======== Data ========
Key              Value
---              -----
a-private-key    123456</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="create-a-quarkus-application-with-a-secret-configuration"><a class="anchor" href="#create-a-quarkus-application-with-a-secret-configuration"></a>Create a Quarkus application with a secret configuration</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">mvn io.quarkus:quarkus-maven-plugin:1.7.0.Final:create \
    -DprojectGroupId=org.acme \
    -DprojectArtifactId=vault-quickstart \
    -DclassName="org.acme.quickstart.GreetingResource" \
    -Dpath="/hello" \
    -Dextensions="vault"
cd vault-quickstart</code></pre>
</div>
</div>
<div class="paragraph">
<p>If you already have your Quarkus project configured, you can add the <code>vault</code> extension
to your project by running the following command in your project base directory:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw quarkus:add-extension -Dextensions="vault"</code></pre>
</div>
</div>
<div class="paragraph">
<p>This will add the following to your <code>pom.xml</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="xml" class="language-xml hljs">&lt;dependency&gt;
    &lt;groupId&gt;io.quarkus&lt;/groupId&gt;
    &lt;artifactId&gt;quarkus-vault&lt;/artifactId&gt;
&lt;/dependency&gt;</code></pre>
</div>
</div>
<div class="paragraph">
<p>Configure access to Vault from the <code>application.properties</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="properties" class="language-properties hljs"># vault url
quarkus.vault.url=http://localhost:8200

# vault authentication
quarkus.vault.authentication.userpass.username=bob
quarkus.vault.authentication.userpass.password=sinclair

# path within the kv secret engine where is located the vault-quickstart secret configuration
quarkus.vault.secret-config-kv-path=myapps/vault-quickstart/config</code></pre>
</div>
</div>
<div class="paragraph">
<p>This should mount whatever keys are stored in <code>secret/myapps/vault-quickstart</code> as MicroProfile Config properties.</p>
</div>
<div class="paragraph">
<p>Let&#8217;s verify that by adding a new endpoint in GreetingResource:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">@Path("/hello")
public class GreetingResource {

    @ConfigProperty(name = "a-private-key")
    String privateKey;

    ...

    @GET
    @Path("/private-key")
    @Produces(MediaType.TEXT_PLAIN)
    public String privateKey() {
        return privateKey;
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Now compile the application and run it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">./mvnw clean install
java -jar target/vault-quickstart-1.0-SNAPSHOT-runner.jar</code></pre>
</div>
</div>
<div class="paragraph">
<p>Finally test the new endpoint:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">curl http://localhost:8080/hello/private-key</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should see:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">123456</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="programmatic-access-to-the-kv-secret-engine"><a class="anchor" href="#programmatic-access-to-the-kv-secret-engine"></a>Programmatic access to the KV secret engine</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Sometimes secrets are retrieved from an arbitrary path that is known only at runtime through an application
specific property, or a method argument for instance.
In that case it is possible to inject a Quarkus <code>VaultKVSecretEngine</code>, and retrieve secrets programmatically.</p>
</div>
<div class="paragraph">
<p>For instance, in <code>GreetingResource</code>, add:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">@Inject
VaultKVSecretEngine kvSecretEngine;

...

@GET
@Path("/secrets/{vault-path}")
@Produces(MediaType.TEXT_PLAIN)
public String getSecrets(@PathParam("vault-path") String vaultPath) {
    return kvSecretEngine.readSecret("myapps/vault-quickstart/" + vaultPath).toString();
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Add a new key in Vault:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">vault kv put secret/myapps/vault-quickstart/private mysecret=abc</code></pre>
</div>
</div>
<div class="paragraph">
<p>Restart the application after rebuilding it, and test it with the new endpoint:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">curl http://localhost:8080/hello/secrets/private</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should see:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">{mysecret=abc}</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="totp"><a class="anchor" href="#totp"></a>TOTP Secrets Engine</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The <a href="https://www.vaultproject.io/docs/secrets/totp/">Vault TOTP secrets engine</a> generates time-based credentials according to the TOTP standard.</p>
</div>
<div class="paragraph">
<p>Vault TOTP supports both the generator scenario (like Google Authenticator) and the provider scenario (like the Google.com sign in).</p>
</div>
<div class="paragraph">
<p>The Vault extension integrates with the Vault TOTP secret engine by providing an <code>io.quarkus.vault.VaultTOTPSecretEngine</code> class.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">import io.quarkus.vault.VaultTOTPSecretEngine;
import io.quarkus.vault.secrets.totp.CreateKeyParameters;
import io.quarkus.vault.secrets.totp.KeyConfiguration;
import io.quarkus.vault.secrets.totp.KeyDefinition;

@Inject
VaultTOTPSecretEngine vaultTOTPSecretEngine;

CreateKeyParameters createKeyParameters = new CreateKeyParameters("Google", "test@gmail.com");
createKeyParameters.setPeriod("30m");

/** Google Authentication logic */

final Optional&lt;KeyDefinition&gt; myKey = vaultTOTPSecretEngine
                                            .createKey("my_key_2", createKeyParameters); <i class="conum" data-value="1"></i><b>(1)</b> <i class="conum" data-value="2"></i><b>(2)</b>

final String keyCode = vaultTOTPSecretEngine.generateCode("my_key_2"); <i class="conum" data-value="3"></i><b>(3)</b>

/** Google Login logic */

boolean valid = vaultTOTPSecretEngine.validateCode("my_key_2", keyCode); <i class="conum" data-value="4"></i><b>(4)</b></code></pre>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td>Create a key to generate codes.</td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td><code>KeyDefinition</code> class contains an embeddable base64 QR code that can be used by third-party code generators.</td>
</tr>
<tr>
<td><i class="conum" data-value="3"></i><b>3</b></td>
<td>Generates a code (not using third-party generator).</td>
</tr>
<tr>
<td><i class="conum" data-value="4"></i><b>4</b></td>
<td>Validates that the code is valid.</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="vault-health-check"><a class="anchor" href="#vault-health-check"></a>Vault Health Check</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If you are using the <code>quarkus-smallrye-health</code> extension, <code>quarkus-vault</code> can add a readiness health check
to validate the connection to the Vault server. This is disabled by default.</p>
</div>
<div class="paragraph">
<p>If enabled, when you access the <code>/health/ready</code> endpoint of your application you will have information about the connection validation status.</p>
</div>
<div class="paragraph">
<p>This behavior can be enabled by setting the <code>quarkus.vault.health.enabled</code> property to <code>true</code> in your <code>application.properties</code>.</p>
</div>
<div class="paragraph">
<p>Only if Vault is initialized, unsealed and active, the health endpoint returns that Vault is ready to serve requests.</p>
</div>
<div class="paragraph">
<p>You can change a bit this behaviour by using <code>quarkus.vault.health.stand-by-ok</code> and <code>quarkus.vault.health.performance-stand-by-ok</code> to <code>true</code> in your <code>application.properties</code>.</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">stand-by-ok</dt>
<dd>
<p>Specifies if being a standby should still return the active status code instead of the standby status code.</p>
</dd>
<dt class="hdlist1">performance-stand-by-ok</dt>
<dd>
<p>Specifies if being a performance standby should still return the active status code instead of the performance standby status code.</p>
</dd>
</dl>
</div>
<div class="paragraph">
<p>You can inject <code>io.quarkus.vault.VaultSystemBackendEngine</code> to run system operations programmatically.</p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
When the readiness probe is failing in Kubernetes, then the application is not reachable. This means that if Vault is failing, all services depending on Vault will become unreachable and maybe this is not the desired state, so use this flag according to your requirements.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="tls"><a class="anchor" href="#tls"></a>TLS</h2>
<div class="sectionbody">
<div class="paragraph">
<p>In production mode, TLS should be activated between the Quarkus application and Vault to prevent <em>man-in-the-middle</em> attacks.</p>
</div>
<div class="paragraph">
<p>There are several ways to configure the Quarkus application:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>through the standard <code>javax.net.ssl.trustStore</code> system property, which should refer to a JKS truststore containing
the trusted certificates</p>
</li>
<li>
<p>using property <code>quarkus.vault.tls.ca-cert</code>, which should refer to a pem encoded file.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>If <code>quarkus.vault.tls.ca-cert</code> is not set and the Quarkus application is using the Kubernetes authentication,
TLS will be active and use the CA certificate bundle located in <code>/var/run/secrets/kubernetes.io/serviceaccount/ca.crt</code>.
If you want to disable this behavior (for instance when using a trust store), you need to set it explicitly using:
<code>quarkus.vault.tls.use-kubernetes-ca-cert=false</code>.</p>
</div>
<div class="paragraph">
<p>The last relevant property is <code>quarkus.vault.tls.skip-verify</code>, which allows to communicate with Vault using TLS,
but without checking the certificate authenticity. This may be convenient in development, but is strongly
discouraged in production as it is not more secure than talking to Vault in plain HTTP.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="vault-provisioning"><a class="anchor" href="#vault-provisioning"></a>Vault Provisioning</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Beside the typical client use cases, the Quarkus extension can be used to provision Vault as well,
for instance as part of a CD pipeline. Specific CDI beans support this scenario:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>VaultSystemBackendEngine</code>: create Vault Policies. See the <a href="https://www.vaultproject.io/api-docs/system/policy">Vault documentation</a>.</p>
</li>
<li>
<p><code>VaultKubernetesAuthService</code>. See the <a href="https://www.vaultproject.io/api-docs/auth/kubernetes">Vault documentation</a>.</p>
<div class="ulist">
<ul>
<li>
<p>Configure the Kubernetes Auth Method (Kubernetes host, certificates, keys, &#8230;&#8203;)</p>
</li>
<li>
<p>Create Kubernetes Auth Roles (association between Kubernetes service accounts, Kubernetes namespaces and Vault policies)</p>
</li>
</ul>
</div>
</li>
</ul>
</div>
<div class="paragraph">
<p>For instance:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">@Inject
VaultSystemBackendEngine vaultSystemBackendEngine;

@Inject
VaultKubernetesAuthService vaultKubernetesAuthService;

...

  String rules = "path \"transit/*\" {\n" +
          "  capabilities = [ \"create\", \"read\", \"update\" ]\n" +
          "}";
  String policyName = "sys-test-policy";
  vaultSystemBackendEngine.createUpdatePolicy(policyName, rules);

  String roleName = "test-auth-k8s";
  List&lt;String&gt; boundServiceAccountNames = asList("vault-auth");
  List&lt;String&gt; boundServiceAccountNamespaces = asList("default");
  List&lt;String&gt; tokenPolicies = asList(policyName);

  vaultKubernetesAuthService.createRole(roleName, new VaultKubernetesAuthRole()
          .setBoundServiceAccountNames(boundServiceAccountNames)
          .setBoundServiceAccountNamespaces(boundServiceAccountNamespaces)
          .setTokenPolicies(tokenPolicies));</code></pre>
</div>
</div>
<div class="paragraph">
<p>Like any client, a provisioning program would have to authenticate using one of the supported Auth methods, and get the appropriate grants through one or more policies. Example:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-none hljs"># create Policies
path "sys/policy/*" {
  capabilities = ["read", "create", "update", "delete"]
}

# create Kubernetes Auth Roles
path "auth/kubernetes/role/*" {
  capabilities = ["read", "create", "update", "delete"]
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should adjust to the minimal set of access rights depending on your specific use case.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="conclusion"><a class="anchor" href="#conclusion"></a>Conclusion</h2>
<div class="sectionbody">
<div class="paragraph">
<p>As a general matter, you should consider reading the extensive <a href="https://www.vaultproject.io/docs/">Vault documentation</a>
and apply best practices.</p>
</div>
<div class="paragraph">
<p>The features exposed today through the Vault extension covers only a small fraction of what the product is capable of.
Still, it addresses already some of the most common microservices scenarii (e.g. sensitive configuration and database
credentials), which goes a long way towards creating secured applications.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuration-reference"><a class="anchor" href="#configuration-reference"></a>Configuration Reference</h2>
<div class="sectionbody">
<div class="paragraph configuration-legend">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> Configuration property fixed at build time - All other configuration properties are overridable at runtime</p>
</div>
<table class="tableblock frame-all grid-all stretch configuration-reference searchable">
<colgroup>
<col style="width: 80%;">
<col style="width: 10%;">
<col style="width: 10%;">
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-vault_configuration"></a><a href="#quarkus-vault_configuration">Configuration property</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.url"></a><code><a href="#quarkus-vault_quarkus.vault.url">quarkus.vault.url</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Vault server url.
&lt;p&gt;
Example: <a href="https://localhost:8200" class="bare">https://localhost:8200</a>
&lt;p&gt;
See also the documentation for the <code>kv-secret-engine-mount-path</code> property for some insights on how
the full Vault url gets built.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/net/URL.html">URL</a></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.renew-grace-period"></a><code><a href="#quarkus-vault_quarkus.vault.renew-grace-period">quarkus.vault.renew-grace-period</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Renew grace period duration.
&lt;p&gt;
This value if used to extend a lease before it expires its ttl, or recreate a new lease before the current
lease reaches its max_ttl.
By default Vault leaseDuration is equal to 7 days (ie: 168h or 604800s).
If a connection pool maxLifetime is set, it is reasonable to set the renewGracePeriod to be greater
than the maxLifetime, so that we are sure we get a chance to renew leases before we reach the ttl.
In any case you need to make sure there will be attempts to fetch secrets within the renewGracePeriod,
because that is when the renewals will happen. This is particularly important for db dynamic secrets
because if the lease reaches its ttl or max_ttl, the password of the db user will become invalid and
it will be not longer possible to log in.
This value should also be smaller than the ttl, otherwise that would mean that we would try to recreate
leases all the time.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>1H</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.secret-config-cache-period"></a><code><a href="#quarkus-vault_quarkus.vault.secret-config-cache-period">quarkus.vault.secret-config-cache-period</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Vault config source cache period.
&lt;p&gt;
Properties fetched from vault as MP config will be kept in a cache, and will not be fetched from vault
again until the expiration of that period.
This property is ignored if <code>secret-config-kv-path</code> is not set.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10M</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.secret-config-kv-path"></a><code><a href="#quarkus-vault_quarkus.vault.secret-config-kv-path">quarkus.vault.secret-config-kv-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>List of comma separated vault paths in kv store,
where all properties will be available as MP config properties <strong>as-is</strong>, with no prefix.
&lt;p&gt;
For instance, if vault contains property <code>foo</code>, it will be made available to the
quarkus application as <code>@ConfigProperty(name = "foo") String foo;</code>
&lt;p&gt;
If 2 paths contain the same property, the last path will win.
&lt;p&gt;
For instance if
&lt;p&gt;
* <code>secret/base-config</code> contains <code>foo=bar</code> and
* <code>secret/myapp/config</code> contains <code>foo=myappbar</code>, then
&lt;p&gt;
<code>@ConfigProperty(name = "foo") String foo</code> will have value <code>myappbar</code>
with application properties <code>quarkus.vault.secret-config-kv-path=base-config,myapp/config</code>
&lt;p&gt;
See also the documentation for the <code>kv-secret-engine-mount-path</code> property for some insights on how
the full Vault url gets built.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.log-confidentiality-level"></a><code><a href="#quarkus-vault_quarkus.vault.log-confidentiality-level">quarkus.vault.log-confidentiality-level</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Used to hide confidential infos, for logging in particular.
Possible values are:
&lt;p&gt;
* low: display all secrets.
* medium: display only usernames and lease ids (ie: passwords and tokens are masked).
* high: hide lease ids and dynamic credentials username.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>low</code>, <code>medium</code>, <code>high</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>medium</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.kv-secret-engine-version"></a><code><a href="#quarkus-vault_quarkus.vault.kv-secret-engine-version">quarkus.vault.kv-secret-engine-version</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Kv secret engine version.
&lt;p&gt;
see <a href="https://www.vaultproject.io/docs/secrets/kv/index.html" class="bare">https://www.vaultproject.io/docs/secrets/kv/index.html</a></p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>2</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.kv-secret-engine-mount-path"></a><code><a href="#quarkus-vault_quarkus.vault.kv-secret-engine-mount-path">quarkus.vault.kv-secret-engine-mount-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>KV secret engine path.
&lt;p&gt;
This value is used when building the url path in the KV secret engine programmatic access
(i.e. <code>VaultKVSecretEngine</code>) and the vault config source (i.e. fetching configuration properties from Vault).
&lt;p&gt;
For a v2 KV secret engine (default - see <code>kv-secret-engine-version property</code>)
the full url is built from the expression <code>&lt;url&gt;/v1/&lt;/kv-secret-engine-mount-path&gt;/data/&#8230;&#8203;</code>.
&lt;p&gt;
With property <code>quarkus.vault.url=https://localhost:8200</code>, the following call
<code>vaultKVSecretEngine.readSecret("foo/bar")</code> would lead eventually to a <code>GET</code> on Vault with the following
url: <code><a href="https://localhost:8200/v1/secret/data/foo/bar" class="bare">https://localhost:8200/v1/secret/data/foo/bar</a></code>.
&lt;p&gt;
With a KV secret engine v1, the url changes to: <code>&lt;url&gt;/v1/&lt;/kv-secret-engine-mount-path&gt;/&#8230;&#8203;</code>.
&lt;p&gt;
The same logic is applied to the Vault config source. With <code>quarkus.vault.secret-config-kv-path=config/myapp</code>
The secret properties would be fetched from Vault using a <code>GET</code> on
<code><a href="https://localhost:8200/v1/secret/data/config/myapp" class="bare">https://localhost:8200/v1/secret/data/config/myapp</a></code> for a KV secret engine v2 (or
<code><a href="https://localhost:8200/v1/secret/config/myapp" class="bare">https://localhost:8200/v1/secret/config/myapp</a></code> for a KV secret engine v1).
&lt;p&gt;
see <a href="https://www.vaultproject.io/docs/secrets/kv/index.html" class="bare">https://www.vaultproject.io/docs/secrets/kv/index.html</a></p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>secret</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.connect-timeout"></a><code><a href="#quarkus-vault_quarkus.vault.connect-timeout">quarkus.vault.connect-timeout</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Timeout to establish a connection with Vault.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>5S</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.read-timeout"></a><code><a href="#quarkus-vault_quarkus.vault.read-timeout">quarkus.vault.read-timeout</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Request timeout on Vault.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>1S</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.secret-config-kv-path.-prefix-secret-config-kv-prefix-path"></a><code><a href="#quarkus-vault_quarkus.vault.secret-config-kv-path.-prefix-secret-config-kv-prefix-path">quarkus.vault.secret-config-kv-path."prefix"</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>List of comma separated vault paths in kv store,
where all properties will be available as <strong>prefixed</strong> MP config properties.
&lt;p&gt;
For instance if the application properties contains
<code>quarkus.vault.secret-config-kv-path.myprefix=config</code>, and
vault path <code>secret/config</code> contains <code>foo=bar</code>, then <code>myprefix.foo</code>
will be available in the MP config.
&lt;p&gt;
If the same property is available in 2 different paths for the same prefix, the last one
will win.
&lt;p&gt;
See also the documentation for the <code>kv-secret-engine-mount-path</code> property for some insights on how
the full Vault url gets built.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>Map&lt;String,List&lt;String&gt;&gt;</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">required <span class="icon"><i class="fa fa-exclamation-circle" title="Configuration property is required"></i></span></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.credentials-provider.-credentials-provider-.database-credentials-role"></a><code><a href="#quarkus-vault_quarkus.vault.credentials-provider.-credentials-provider-.database-credentials-role">quarkus.vault.credentials-provider."credentials-provider".database-credentials-role</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Database credentials role, as defined by <a href="https://www.vaultproject.io/docs/secrets/databases/index.html" class="bare">https://www.vaultproject.io/docs/secrets/databases/index.html</a></p>
</div>
<div class="paragraph">
<p>One of <code>database-credentials-role</code> or <code>kv-path</code> needs to be defined. not both.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.credentials-provider.-credentials-provider-.kv-path"></a><code><a href="#quarkus-vault_quarkus.vault.credentials-provider.-credentials-provider-.kv-path">quarkus.vault.credentials-provider."credentials-provider".kv-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>A path in vault kv store, where we will find the kv-key.</p>
</div>
<div class="paragraph">
<p>One of <code>database-credentials-role</code> or <code>kv-path</code> needs to be defined. not both.</p>
</div>
<div class="paragraph">
<p>see <a href="https://www.vaultproject.io/docs/secrets/kv/index.html" class="bare">https://www.vaultproject.io/docs/secrets/kv/index.html</a></p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.credentials-provider.-credentials-provider-.kv-key"></a><code><a href="#quarkus-vault_quarkus.vault.credentials-provider.-credentials-provider-.kv-key">quarkus.vault.credentials-provider."credentials-provider".kv-key</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Key name to search in vault path <code>kv-path</code>. The value for that key is the credential.</p>
</div>
<div class="paragraph">
<p><code>kv-key</code> should not be defined if <code>kv-path</code> is not.</p>
</div>
<div class="paragraph">
<p>see <a href="https://www.vaultproject.io/docs/secrets/kv/index.html" class="bare">https://www.vaultproject.io/docs/secrets/kv/index.html</a></p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>password</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-vault_quarkus.vault.health"></a><a href="#quarkus-vault_quarkus.vault.health">Health check configuration</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> <a id="quarkus-vault_quarkus.vault.health.enabled"></a><code><a href="#quarkus-vault_quarkus.vault.health.enabled">quarkus.vault.health.enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Whether or not an health check is published in case the smallrye-health extension is present.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> <a id="quarkus-vault_quarkus.vault.health.stand-by-ok"></a><code><a href="#quarkus-vault_quarkus.vault.health.stand-by-ok">quarkus.vault.health.stand-by-ok</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Specifies if being a standby should still return the active status code instead of the standby status code.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> <a id="quarkus-vault_quarkus.vault.health.performance-stand-by-ok"></a><code><a href="#quarkus-vault_quarkus.vault.health.performance-stand-by-ok">quarkus.vault.health.performance-stand-by-ok</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Specifies if being a performance standby should still return the active status code instead of the performance standby status code.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-vault_quarkus.vault.authentication"></a><a href="#quarkus-vault_quarkus.vault.authentication">Authentication</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.client-token"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.client-token">quarkus.vault.authentication.client-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Vault token, bypassing Vault authentication (kubernetes, userpass or approle). This is useful in development where an authentication mode might not have been set up. In production we will usually prefer some authentication such as userpass, or preferably kubernetes, where Vault tokens get generated with a TTL and some ability to revoke them. Lease renewal does not apply.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.client-token-wrapping-token"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.client-token-wrapping-token">quarkus.vault.authentication.client-token-wrapping-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Client token wrapped in a wrapping token, such as what is returned by:
 vault token create -wrap-ttl=60s -policy=myapp
 client-token and client-token-wrapping-token are exclusive. Lease renewal does not apply.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.app-role.role-id"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.app-role.role-id">quarkus.vault.authentication.app-role.role-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Role Id for AppRole auth method. This property is required when selecting the app-role authentication type.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.app-role.secret-id"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.app-role.secret-id">quarkus.vault.authentication.app-role.secret-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Secret Id for AppRole auth method. This property is required when selecting the app-role authentication type.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.app-role.secret-id-wrapping-token"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.app-role.secret-id-wrapping-token">quarkus.vault.authentication.app-role.secret-id-wrapping-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Wrapping token containing a Secret Id, obtained from:
 vault write -wrap-ttl=60s -f auth/approle/role/myapp/secret-id
 secret-id and secret-id-wrapping-token are exclusive</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.userpass.username"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.userpass.username">quarkus.vault.authentication.userpass.username</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>User for userpass auth method. This property is required when selecting the userpass authentication type.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.userpass.password"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.userpass.password">quarkus.vault.authentication.userpass.password</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Password for userpass auth method. This property is required when selecting the userpass authentication type.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.userpass.password-wrapping-token"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.userpass.password-wrapping-token">quarkus.vault.authentication.userpass.password-wrapping-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Wrapping token containing a Password, obtained from:
 vault kv get -wrap-ttl=60s secret/
 The key has to be 'password', meaning the password has initially been provisioned with:
 vault kv put secret/ password=
 password and password-wrapping-token are exclusive</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.kubernetes.role"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.kubernetes.role">quarkus.vault.authentication.kubernetes.role</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Kubernetes authentication role that has been created in Vault to associate Vault policies, with Kubernetes service accounts and/or Kubernetes namespaces. This property is required when selecting the Kubernetes authentication type.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.kubernetes.jwt-token-path"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.kubernetes.jwt-token-path">quarkus.vault.authentication.kubernetes.jwt-token-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Location of the file containing the Kubernetes JWT token to authenticate against in Kubernetes authentication mode.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>/var/run/secrets/kubernetes.io/serviceaccount/token</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.authentication.kubernetes.auth-mount-path"></a><code><a href="#quarkus-vault_quarkus.vault.authentication.kubernetes.auth-mount-path">quarkus.vault.authentication.kubernetes.auth-mount-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Allows configure Kubernetes authentication mount path.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>auth/kubernetes</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-vault_quarkus.vault.tls"></a><a href="#quarkus-vault_quarkus.vault.tls">TLS</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.tls.skip-verify"></a><code><a href="#quarkus-vault_quarkus.vault.tls.skip-verify">quarkus.vault.tls.skip-verify</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Allows to bypass certificate validation on TLS communications.
 If true this will allow TLS communications with Vault, without checking the validity of the certificate presented by Vault. This is discouraged in production because it allows man in the middle type of attacks.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.tls.ca-cert"></a><code><a href="#quarkus-vault_quarkus.vault.tls.ca-cert">quarkus.vault.tls.ca-cert</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Certificate bundle used to validate TLS communications with Vault.
 The path to a pem bundle file, if TLS is required, and trusted certificates are not set through javax.net.ssl.trustStore system property.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.tls.use-kubernetes-ca-cert"></a><code><a href="#quarkus-vault_quarkus.vault.tls.use-kubernetes-ca-cert">quarkus.vault.tls.use-kubernetes-ca-cert</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If true and Vault authentication type is kubernetes, TLS will be active and the cacert path will be set to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. If set, this setting will take precedence over property quarkus.vault.tls.ca-cert. This means that if Vault authentication type is kubernetes and we want to use quarkus.vault.tls.ca-cert or system property javax.net.ssl.trustStore, then this property should be set to false.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-vault_quarkus.vault.transit"></a><a href="#quarkus-vault_quarkus.vault.transit">Transit Engine</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.transit.key.-key-.name"></a><code><a href="#quarkus-vault_quarkus.vault.transit.key.-key-.name">quarkus.vault.transit.key."key".name</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Specifies the name of the key to use. By default this will be the property key alias. Used when
the same transit key is used with different configurations. Such as in:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-none hljs">quarkus.vault.transit.key.my-foo-key.name=foo

quarkus.vault.transit.key.my-foo-key-with-prehashed.name=foo
quarkus.vault.transit.key.my-foo-key-with-prehashed.prehashed=true
...
transitSecretEngine.sign("my-foo-key", "my raw content");
or
transitSecretEngine.sign("my-foo-key-with-prehashed", "my already hashed content");</code></pre>
</div>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.transit.key.-key-.prehashed"></a><code><a href="#quarkus-vault_quarkus.vault.transit.key.-key-.prehashed">quarkus.vault.transit.key."key".prehashed</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Set to true when the input is already hashed. Applies to sign operations.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.transit.key.-key-.signature-algorithm"></a><code><a href="#quarkus-vault_quarkus.vault.transit.key.-key-.signature-algorithm">quarkus.vault.transit.key."key".signature-algorithm</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>When using a RSA key, specifies the RSA signature algorithm. Applies to sign operations.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.transit.key.-key-.hash-algorithm"></a><code><a href="#quarkus-vault_quarkus.vault.transit.key.-key-.hash-algorithm">quarkus.vault.transit.key."key".hash-algorithm</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Specifies the hash algorithm to use for supporting key types. Applies to sign operations.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.transit.key.-key-.type"></a><code><a href="#quarkus-vault_quarkus.vault.transit.key.-key-.type">quarkus.vault.transit.key."key".type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Specifies the type of key to create for the encrypt operation. Applies to encrypt operations.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-vault_quarkus.vault.transit.key.-key-.convergent-encryption"></a><code><a href="#quarkus-vault_quarkus.vault.transit.key.-key-.convergent-encryption">quarkus.vault.transit.key."key".convergent-encryption</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If enabled, the key will support convergent encryption, where the same plaintext creates the same ciphertext. Applies to encrypt operations.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
</tbody>
</table>
<div id="duration-note-anchor" class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">About the Duration format</div>
<div class="paragraph">
<p>The format for durations uses the standard <code>java.time.Duration</code> format.
You can learn more about it in the <a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html#parse-java.lang.CharSequence-">Duration#parse() javadoc</a>.</p>
</div>
<div class="paragraph">
<p>You can also provide duration values starting with a number.
In this case, if the value consists only of a number, the converter treats the value as seconds.
Otherwise, <code>PT</code> is implicitly prepended to the value to obtain a standard <code>java.time.Duration</code> format.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
    </div>
  </div>
</div>

  </div>

  <div class="content project-footer">
  <div class="footer-section">
    <div class="logo-wrapper">
      <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_reverse.svg" class="project-logo" title="Quarkus"></a>
    </div>
  </div>
  <div class="grid-wrapper">
    <p class="grid__item width-3-12">Quarkus is open. All dependencies of this project are available under the <a href='https://www.apache.org/licenses/LICENSE-2.0' target='_blank'>Apache Software License 2.0</a> or compatible license.<br /><br />This website was built with <a href='https://jekyllrb.com/' target='_blank'>Jekyll</a>, is hosted on <a href='https://pages.github.com/' target='_blank'>Github Pages</a> and is completely open source. If you want to make it better, <a href='https://github.com/quarkusio/quarkusio.github.io' target='_blank'>fork the website</a> and show us what you’ve got.</p>

    
      <div class="width-1-12 project-links">
        <span>Navigation</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="/">Home</a></li>
          
            <li><a href="/guides">Guides</a></li>
          
            <li><a href="/community/#contributing">Contribute</a></li>
          
            <li><a href="/faq">FAQ</a></li>
          
            <li><a href="/get-started">Get Started</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Contribute</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://twitter.com/quarkusio">Follow us</a></li>
          
            <li><a href="https://github.com/quarkusio">GitHub</a></li>
          
            <li><a href="/security">Security&nbsp;policy</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Get Help</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://groups.google.com/forum/#!forum/quarkus-dev">Forums</a></li>
          
            <li><a href="https://quarkusio.zulipchat.com">Chatroom</a></li>
          
        </ul>
      </div>
    

    
      <div class="width-3-12 more-links">
        <span>Quarkus is made of community projects</span>
        <ul class="footer-links">
          
            <li><a href="https://vertx.io/" target="_blank">Eclipse Vert.x</a></li>
          
            <li><a href="https://microprofile.io" target="_blank">Eclipse MicroProfile</a></li>
          
            <li><a href="https://hibernate.org" target="_blank">Hibernate</a></li>
          
            <li><a href="https://netty.io" target="_blank">Netty</a></li>
          
            <li><a href="https://resteasy.github.io" target="_blank">RESTEasy</a></li>
          
            <li><a href="https://camel.apache.org" target="_blank">Apache Camel</a></li>
          
            <li><a href="https://code.quarkus.io/" target="_blank">And many more...</a></li>
          
        </ul>
      </div>
    
  </div>
</div>
  <div class="content redhat-footer">
  <div class="grid-wrapper">
    <span class="licence">
      <i class="fab fa-creative-commons"></i><i class="fab fa-creative-commons-by"></i> <a href="https://creativecommons.org/licenses/by/3.0/" target="_blank">CC by 3.0</a> | <a href="https://www.redhat.com/en/about/privacy-policy">Privacy Policy</a>
    </span>
    <span class="redhat">
      Sponsored by
    </span>
    <span class="redhat-logo">
      <a href="https://www.redhat.com/" target="_blank"><img src="/assets/images/redhat_reversed.svg"></a>
    </span>
  </div>
</div>


  <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js" integrity="sha384-8gBf6Y4YYq7Jx97PIqmTwLPin4hxIzQw5aDmUg/DDhul9fFpbbLcLh3nTIIDJKhx" crossorigin="anonymous"></script>
  <script type="text/javascript" src="/assets/javascript/mobile-nav.js"></script>
  <script type="text/javascript" src="/assets/javascript/scroll-down.js"></script>
  <script src="/assets/javascript/satellite.js" type="text/javascript"></script>
  <script src="https://quarkus.io/guides/javascript/config.js" type="text/javascript"></script>
  <script src="/assets/javascript/search-filter.js" type="text/javascript"></script>
  <script src="/assets/javascript/back-to-top.js" type="text/javascript"></script>
</body>

</html>
